Archive for category Exploits

Java_signed_applet with RJB

I just wasted a lot of time trying to get the java_signed_applet exploit module working in Metasploit. Not that it doesn’t work by default, but you will get the warning [-] [-] The JDK failed to initialized: no such file to load — rjb [-] In order to dynamically sign the applet, you must install […]

, , , , , ,

Leave a comment

Finding non-ASLR or DEP modules

As the recent exploits for IE using the .NET 2.0 DLL demonstrate, sometimes a non-ASLR DLL to enable an exploit is just a LoadLibrary away. So if pvefindaddr won’t give you any ASLR-free DLL’s in memory, look for other DLL’s which the process will load, given the right input. Or from a system-hardening or development […]

, , , , , , ,

2 Comments

Black Hat DC Presentation

The materials in the presentation, including the exploits used, are downloadable here. Have fun counterattacking! Update: the actual slides are at http://scriptjunkie1.110mb.com/security/counterattack.pdf and paper is at http://scriptjunkie1.110mb.com/security/whitepaper.pdf.

, ,

Leave a comment

Fun with lnk files

Stuxnet used an 0day .lnk icon dll-loading vulnerability to own its targets via thumb drives. But if you don’t have a fancy 0day, chances are, you can still get someone to open a link. Link files are great because they often escape the scrutiny of executable .exe files or batch scripts since they don’t directly […]

Leave a comment

Command stagers in Windows

Command injection/execution bugs are a relatively common vulnerability. For example, Internet Explorer, Google Chrome, and Mozilla Firefox have all had these problems, at least including common add-ons. (see http://www.securityfocus.com/archive/1/archive/1/499570/100/0/threaded, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5045, etc.) Many server-side scripts in webapps also suffer from the same issues. Against a Linux target, many exploitation possibilities abound, from staging a payload via […]

, , , , , , ,

Leave a comment

Insecure service permission privilege escalation

A number of metasploit modules already exist to escalate privileges based on insecurely installed services, such as the HP PML driver. But other services also suffer from the same problems and it is not worth making a new script for every obscure service; it would be easier to have one that could scan for such […]

Leave a comment

PXE exploitation

Update 2: See the latest, including the Defcon talk at my new blog: http://www.scriptjunkie.us/2011/08/network-nightmare/ Update: This complete attack, including the DHCP server, has been incorporated into Metasploit. Update and enjoy. The module is auxiliary/server/pxexploit PXE booting has been around for over a decade and is supported by most system BIOSs. And I have also seen […]

2 Comments

Maple exploit

Exploit for an 0day vulnerability (feature?) in Maple. https://www.metasploit.com/redmine/projects/framework/repository/revisions/9183 Default Maple security settings prevent code from running in a normal maple worksheet (.mw) without user interaction, but those setting do not prevent code in a .maplet from running. Put malicious code at start of .maplet, get the target to double-click and … profit. (As a […]

Leave a comment

XSS, no really

XSS tends to get the eyeroll treatment from security pros since a) it’s everywhere. 2 min of looking for an example on the GOP website, and tada: http://www.gopstore.com/cgi-bin/rnc/scan/st=db/co=yes/sf=prod_group/se=stick%3Cimg%20src=0%20onerror=%22alert%281%29%22%20%3Eer/op=eq/tf=description/ml=12/sp=1stickers.html b) your 8-year-old kid can find it after about 2 minutes of instruction c) it doesn’t give you a shell (directly) But it still works. And it […]

Leave a comment